As discussed on Zulip multiple modules inside WildFly-Core, WildFly and maybe other components shall prevent from XXE. Currently some codepoints use a native javax.xml.parsers.DocumentBuilderFactory or javax.xml.stream.XMLInputFactory. Restriction of XML External Entity Reference is lacking.

Fix:

• Provide factories setting secure defaults (here)
• Use the new factories at relevant places WFCORE-5594

Related to:

• https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
• https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-3FB69003-1E4A-435C-B519-4B9D07630460

The approach is to try to set/activate the relevant properties and log a warning if the underlying Factory does not support the property. The log shall appear only once (per classloader).